US9531743B2 - Data trend analysis - Google Patents

Data trend analysis Download PDF

Info

Publication number
US9531743B2
US9531743B2 US15147471 US201615147471A US9531743B2 US 9531743 B2 US9531743 B2 US 9531743B2 US 15147471 US15147471 US 15147471 US 201615147471 A US201615147471 A US 201615147471A US 9531743 B2 US9531743 B2 US 9531743B2
Authority
US
Grant status
Grant
Patent type
Prior art keywords
cyber security
security threat
data
related
terms
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US15147471
Other versions
US20160248793A1 (en )
Inventor
Joshua Z. Howes
James Solderitsch
Ryan M. LaSalle
David W. Rozmiarek
Eric A. Ellett
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Accenture Global Services Ltd
Original Assignee
Accenture Global Services Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/20Handling natural language data
    • G06F17/27Automatic analysis, e.g. parsing
    • G06F17/2785Semantic analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/30Information retrieval; Database structures therefor ; File system structures therefor
    • G06F17/3061Information retrieval; Database structures therefor ; File system structures therefor of unstructured textual data
    • G06F17/30705Clustering or classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/30Information retrieval; Database structures therefor ; File system structures therefor
    • G06F17/3061Information retrieval; Database structures therefor ; File system structures therefor of unstructured textual data
    • G06F17/30716Browsing or visualization
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/30Information retrieval; Database structures therefor ; File system structures therefor
    • G06F17/3061Information retrieval; Database structures therefor ; File system structures therefor of unstructured textual data
    • G06F17/30731Creation of semantic tools
    • G06F17/30734Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/30Information retrieval; Database structures therefor ; File system structures therefor
    • G06F17/30861Retrieval from the Internet, e.g. browsers
    • G06F17/30864Retrieval from the Internet, e.g. browsers by querying, e.g. search engines or meta-search engines, crawling techniques, push systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2151Time stamp

Abstract

According to an example, a method for data trend analysis may include retrieving data from data sources, associating the data with a time, and identifying co-occurrences of terms and concepts within the data. In response to determining that co-occurrences of term and concept pairs reach a predefined threshold, the method may include adding the term and concept pairs to an ontology. The method may include logging occurrences of terms in the ontology within the data with respect to associated data times, identifying a plurality of time periods, and for one of the plurality of time periods and for the logged terms, determining a first score indicative of a weighted term frequency metric for a logged term within the data during the one time period, and determining a second score indicative of a commonality of a presence of the logged term within the data among the plurality of time periods.

Description

PRIORITY

This application is a Continuation of commonly assigned and co-pending U.S. patent application Ser. No. 13/826,965, filed Mar. 14, 2013, which claims the benefit of provisional patent application U.S. Ser. No. 61/751,252, filed Jan. 10, 2013, the disclosure of which are hereby incorporated by reference in their entireties.

BACKGROUND

Data sources can include a substantial amount of information related to various topics. Examples of data sources can include databases, computer files, data streams, raw data originating from observation, survey and research, and generally any source that can be used to obtain digitized data. Data sources may be categorized, for example, as structured, semi-structured, or unstructured data sources. Structured data sources may include data sources that are identifiable based on a structural organization. Structured data in such structured data sources may also be searchable by data type within data content. Unstructured data may include data such as raw unstructured text that does not include an identifiable structural organization. Semi-structured data may include data that includes structured data that is searchable by data type within content and unstructured data. Based, for example, on the vast amounts of information available in such structured, semi-structured, and unstructured data sources, it can be challenging to analyze such data sources to identify data trends.

BRIEF DESCRIPTION OF DRAWINGS

Features of the present disclosure are illustrated by way of examples shown in the following figures. In the following figures, like numerals indicate like elements, in which:

FIG. 1 illustrates an architecture of a data trend analysis system, according to an example of the present disclosure;

FIG. 2 illustrates an example of an application of the data trend analysis system to threat trend analysis, according to an example of the present disclosure;

FIG. 3 illustrates a threat ontology for application of the data trend analysis system to threat trend analysis, according to an example of the present disclosure;

FIG. 4 illustrates a list of term counts, according to an example of the present disclosure;

FIG. 5 illustrates a process for term weighting, according to an example of the present disclosure;

FIGS. 6A-6D illustrate scoring of ontology-factored threats for an application of the data trend analysis system to threat trend analysis, according to an example of the present disclosure;

FIG. 7 illustrates a user interface display for an application of the data trend analysis system to threat trend analysis, according to an example of the present disclosure;

FIG. 8 illustrates a flowchart of an application of the data trend analysis system to threat trend analysis, according to an example of the present disclosure;

FIG. 9 illustrates a method for data trend analysis, according to an example of the present disclosure;

FIG. 10 illustrates further details of the method for data trend analysis for threat trend analysis, according to an example of the present disclosure; and

FIG. 11 illustrates a computer system, according to an example of the present disclosure.

DETAILED DESCRIPTION

For simplicity and illustrative purposes, the present disclosure is described by referring mainly to examples. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure. It will be readily apparent however, that the present disclosure may be practiced without limitation to these specific details. In other instances, some methods and structures have not been described in detail so as not to unnecessarily obscure the present disclosure.

Throughout the present disclosure, the terms “a” and “an” are intended to denote at least one of a particular element. As used herein, the term “includes” means includes but not limited to, the term “including” means including but not limited to. The term “based on” means based at least in part on.

Data trend analysis may include, for example, the collection of information and the determination of a pattern, or trend, in the information. Data trend analysis may be used, for example, to predict future events, and to estimate uncertain events in the past. For information that can be available in a variety of structured, semi-structured, and unstructured data sources, it can be challenging to analyze such data sources and the vast amounts of data contained therein to identify data trends. For example, a data trend analysis expert may aggregate data and attempt to provide a perspective into trends associated with the data. However, such trend analysis can be biased based on the subjective understanding of the expert. Such trend analysis may also be limited by factors such as time constraints, expert knowledge, the type of data sources analyzed, and goals associated with the trend analysis.

For example, in the area of cyber security, a threat intelligence expert or a threat related product may be used to aggregate and report security information to provide a perspective into a current cyber security landscape. The threat intelligence expert may ascertain threat intelligence from vendors that specialize in particular areas and provide information in a structured format. However, threat intelligence information is often available in unstructured data sources, such as Internet forum postings, news articles, blogs, etc., and semi-structured data sources, such as spread-sheets, etc. A comprehensive analysis of such structured, semi-structured, and unstructured data sources can provide valuable insight into data trends compared to techniques limited to evaluation of structured data, or reliance on expert knowledge.

A data trend analysis system and a method for data trend analysis are disclosed herein. The system and method disclosed herein may be applied to a variety of fields, such as cyber security, marketing, sales, etc. According to an example, the data trend analysis system disclosed herein may include a memory storing machine readable instructions to retrieve data from one or more data sources, associate the data with a time, and identify co-occurrences of terms and concepts within the data. In response to determining that co-occurrences of term and concept pairs reach a predefined threshold, the machine readable instructions may add the term and concept pairs to an ontology. The machine readable instructions may further log occurrences of terms in the ontology within the data with respect to associated data times, and identify a plurality of time periods. For one of the plurality of time periods and for the logged terms, the machine readable instructions may determine a first score indicative of a weighted term frequency metric for a logged term within the data during the one time period, and determine a second score indicative of a commonality of a presence of the logged term within the data among the plurality of time periods. The machine readable instructions may further determine a third score indicative of the weighted term frequency metric for the logged term during the one time period and the commonality of the presence of the logged term among the plurality of time periods. The data trend analysis system may further include a processor to implement the machine readable instructions.

According to another example, the method for data trend analysis disclosed herein may include retrieving data from one or more data sources, associating the data with a time, and identifying co-occurrences of terms and concepts within the data. Retrieving data from the one or more data sources may include retrieving the data from structured, unstructured, and/or semi-structured data sources. For the structured data source, retrieving the data may include parsing the data. For the unstructured or the semi-structured data sources, terms of an ontology may be identified and extracted from the unstructured or the semi-structured data sources. The co-occurrences of terms and concepts within the data may be performed, for example, by using Latent Semantic Analysis (LSA). In response to determining that co-occurrences of term and concept pairs reach a predefined threshold, the method disclosed herein may include adding the term and concept pairs to an ontology. Further, the method disclosed herein may include logging occurrences of terms in the ontology within the data with respect to associated data times, and identifying a plurality of time periods. For one of the plurality of time periods and for the logged terms, the method disclosed herein may include determining a first score indicative of a weighted term frequency metric for a logged term within the data during the one time period, and determining a second score indicative of a commonality of a presence of the logged term within the data among the plurality of time periods. Determination of the second score may include determining a quotient value by dividing a count of occurrences of the logged term across the plurality of time periods by a count of occurrences of the logged terms across the plurality of time periods, and determining a logarithm of an inverse of the quotient value. The method disclosed herein may further include determining a third score indicative of the weighted term frequency metric for the logged term during the one time period and the commonality of the presence of the logged term among the plurality of time periods. The method disclosed herein may further include filtering the logged terms based on user preferences by multiplying the third score by a user-preference factor, filtering the logged terms based on community feedback by multiplying the third score by a community feedback factor, and prioritizing the filtered logged terms based on an ascending or a descending order related to the third score.

According to a further example, a method for forecasting cyber security threat risks is disclosed herein and may include retrieving cyber security threat information from structured data sources, retrieving cyber security threat related information from semi-structured and un-structured data sources, and extracting additional cyber security threat information from the retrieved cyber security threat related information. The method may further include identifying co-occurrences of threat-related terms and threat-related concepts within the cyber security threat information and the additional cyber security threat information, and in response to determining that co-occurrences of threat-related term and threat-related concept pairs reach a predefined threshold, adding the term and concept pair to an ontology. The method disclosed herein may further include logging occurrences of terms in the ontology within the cyber security threat information or the cyber security threat related information or both with respect to time, and identifying a plurality of time periods. For one of the plurality of time periods and for the logged terms, the method disclosed herein may include determining a first score indicative of a weighted term frequency metric for the logged term during the one time period, and determining a second score indicative of a commonality of a presence of the logged term among the plurality of time periods.

The data trend analysis system and the method for data trend analysis disclosed herein provide a technical solution to the technical problem of data trend analysis for information available, for example, in structured, semi-structured, and unstructured data sources. In many instances, manual data trend analysis is not a viable solution given the heterogeneity and complexities associated with data sources that can include a substantial amount of information related to various topics. The system and method disclosed herein provide the technical solution of automatic data trend analysis by retrieving data from one or more data sources, associating the data with a time, and identifying co-occurrences of terms and concepts within the data. In response to determining that co-occurrences of term and concept pairs reach a predefined threshold, the system and method disclosed herein provide for adding the term and concept pairs to an ontology. Further, the system and method disclosed herein provide for logging of occurrences of terms in the ontology within the data with respect to associated data times, and identifying a plurality of time periods. For one of the plurality of time periods and for the logged terms, the system and method disclosed herein provide the technical solution of determining a first score indicative of a weighted term frequency metric for a logged term within the data during the one time period, and determining a second score indicative of a commonality of a presence of the logged term within the data among the plurality of time periods. Further, the system and method disclosed herein provide the technical solution of determining a third score indicative of the weighted term frequency metric for the logged term during the one time period and the commonality of the presence of the logged term among the plurality of time periods. Based on the determination of the first, second, and third scores, and further, based on evaluation of user preferences and community feedback, the system and method disclosed herein provide the technical solution of automatically filtering and prioritizing threat trends, and displaying the threat trends.

FIG. 1 illustrates an architecture of a data trend analysis system 100, according to an example of the present disclosure. Referring to FIG. 1, the system 100 is depicted as including an information parsing module 101 to retrieve structured data from a structured data source 102, and to parse the structured data. An information extraction module 103 may retrieve data from unstructured and semi-structured data sources 104, 105, respectively, and identify and extract terms from the unstructured and semi-structured data sources 104, 105. The information parsing module 101 and the information extraction module 103 may be combined into a single module that retrieves, parses, and extracts data from the data sources 102, 104, and 105. The information extraction module 103 may identify and extract the terms based on a predetermined list of terms 106. The predetermined list of terms 106 may be stored in a database 107. Occurrences of terms from the predetermined list of terms 106 in the data from the unstructured and semi-structured data sources 104, 105 may be stored as term occurrences 108 in the database 107. Further, the structured data received from the structured data source 102 may be parsed by the information parsing module 101 based on the predetermined list of terms 106, and may also be stored as term occurrences 108 in the database 107. An ontology creation module 109 may create and/or modify one or more ontologies 110 based on co-occurrence of terms and concepts. For example, the ontology creation module 109 may provide for improvement of the predetermined list of terms 106 by using LSA to determine relationships between terms and concepts, and adding the terms and concepts to the ontologies 110 if the co-occurrence of a term and a concept pair reaches a predetermined threshold. The ontologies 110 may be used, for example, to determine relationships between the term occurrences 108. A scoring module 111 may use the term occurrences 108 and the ontologies 110 to determine trends in the content of the data sources 102, 104, and 105. The trends may be stored in the database 107 as shown at 112. A trend determination module 113 may further filter and prioritize the trends 112 in the content of the data sources 102, 104, and 105 based on user preferences and community feedback received, for example, via a user interface 114. The user preferences and community feedback may be stored in the database 107 as shown at 115. The user interface 114 may be used to further display the trends 112 in the content of the data sources 102, 104, and 105 to one or more users of the data trend analysis system 100. The user preferences and community feedback may be used, for example, to display multiple views of data trends, such as global data trends, regional data trends based on an organization's industry, and localized data trends specific to users of the data trend analysis system 100.

The modules and other components of the system 100 that perform various other functions in the system 100, may comprise machine readable instructions stored on a non-transitory computer readable medium. In addition, or alternatively, the modules and other components of the system 100 may comprise hardware or a combination of machine readable instructions and hardware.

The data trend analysis provided by the system 100 may be applied to a variety of fields, such as cyber security, marketing, sales, etc. Referring to FIGS. 1 and 2, FIG. 2 illustrates an example of an application of the data trend analysis system 100 to cyber security, for example, for threat trend analysis, according to an example of the present disclosure. Referring to FIGS. 1 and 2, the information parsing module 101 and the information extraction module 103 may respectively parse structured data from the structured data source 102, and extract unstructured and semi-structured data from the unstructured and semi-structured data sources 104, 105. For example, in the area of cyber security, organizations may provide structured data that is searchable by data type, such as, malware, virus, etc. Such structured data may be parsed by the information parsing module 101. For example, the information parsing module 101 may parse the structured data by using the predetermined list of terms 106. Further, in the area of cyber security, sources of unstructured data may include, for example, Internet forum postings, news articles, blogs, etc., on topics related to viruses, organizations affected by malware, virus names, etc. Such unstructured and semi-structured data (i.e., data that includes structured data that is searchable by data type within content and unstructured data) may be retrieved by the information extraction module 103 to identify and extract terms from the predetermined list of terms 106.

Referring to FIGS. 1 and 2, for the example of the application of the data trend analysis system 100 to cyber security, the trend determination module 113 may further filter and prioritize threat trends (e.g., at 120, 121 in FIG. 2) in the content of the data sources 102, 104, and 105 based on user preferences 122 received from a user 123 (e.g., a security analyst) and community feedback 124 received from a user community 125 (e.g., a plurality of user types related to the system 100). The user preferences 122 and the community feedback 124 may be received, for example, via the user interface 114. The user preferences 122 may include preferences related to an organization that is associated with the user 123, and information related to the system 100 (e.g., thresholds, display format, etc., as discussed below). The user interface 114 may be used to further display the threat trends in the content of the data sources 102, 104, and 105 to the user 123 and to the user community 125 of the data trend analysis system 100.

The information extraction module 103 may retrieve data from the unstructured and semi-structured data sources 104, 105, respectively, and identify and extract terms from the unstructured and semi-structured data sources 104, 105. The information extraction module 103 may also extract information related to the identified and extracted terms, such as date and time of identification and extraction, source identification, phrase details related to an area of application of the system 100, etc. For the example of the application of the data trend analysis system 100 to cyber security, the information extraction module 103 may extract information such as specific cyber security phrase details (e.g., the terms virus, malware, etc., and co-occurrence of concepts). The information extraction module 103 may identify and extract the terms based on the predetermined list of terms 106. For the example of the application of the data trend analysis system 100 to cyber security, the information extraction module 103 may further extract other aspects related to the extracted terms, such as organization name, name of people associated with the extracted terms, etc. For example, the information extraction module 103 may use a named-entity recognition (NER) technique to extract the additional aspects related to the extracted terms. The data trend analysis provided by the system 100 may also be directed to such other aspects related to the extracted terms. For example, the data trend analysis provided by the system 100 may be directed to a particular type of virus (e.g., ABC virus).

Referring to FIG. 1, the ontology creation module 109 may create one or more ontologies 110 based on co-occurrence of terms and concepts. For example, the ontology creation module 109 may provide for improvement of the predetermined list of terms 106 by using LSA to determine relationships between terms and concepts, and may further add the terms and concepts to the ontologies 110 if the co-occurrence of a term and a concept pair reaches a predetermined threshold (e.g., between a range of 0-1 for LSA). Concepts may defined as a word (i.e., the same or different word as a term in the predetermined list of terms 106) or a plurality of words (i.e., a plurality of the same or different words as terms in the predetermined list of terms 106). For the example of the application of the data trend analysis system 100 to cyber security, the ontologies 110 may include threat, organizational, and technology ontologies. The threat ontology may pertain to specific cyber security related threats (e.g., threats related to e-mail, threats related to user data, etc.). The organizational ontology may pertain to specific organizations that are involved in cyber security and/or affected by cyber security related threats. The technology ontology may pertain to specific technology affected by cyber security related threats. For example, FIG. 3 illustrates a portion of a threat ontology 130 for application of the data trend analysis system 100 to threat trend analysis, according to an example of the present disclosure. The threat ontology 130 may include terms, such as Melissa at 131, MyDoom at 132, etc., which respectively relate to higher order terms Viruses at 133 and Malware at 134. Additional terms may be provided in the threat ontology 130 for relation with higher order terms Ransomware at 135, Worms at 136, etc.

The scoring module 111 may use the term occurrences 108 and the ontologies 110 to determine emerging trends in the content of the data sources 102, 104, and 105. Generally, the scoring module 111 may use the term occurrences 108 and the ontologies 110 to determine emerging trends in the content of the data sources 102, 104, and 105 by using a statistic to determine the importance of terms to a given time period (e.g., hour, day, week, month, etc.). The scoring module 111 may count occurrences of each term segmented by time period. For the example of the application of the data trend analysis system 100 to cyber security, the scoring module 111 may count occurrences of each threat related term segmented by time period. For example, the scoring module 111 may generate a list of term counts 140 as shown in FIG. 4. The terms of the term counts 140 may include terms in the predetermined list of terms 106 and terms and/or concepts of the ontologies 110. The list of term counts 140 may include a time period at 141, a term designation at 142, and a term count at 143.

The scoring module 111 may further determine a first score indicative of a weighted term frequency metric for a time period. For example, the scoring module 111 may determine the first score indicative of the weighted term frequency metric as follows:
tf(t,p)=log10 f(t,p)  Equation (1)
For Equation (1), t may be used to designate a term, p may be used to designate a period, and f(t,p) may be used to designate a frequency of a term during a period. Thus, the first score may be determined by a logarithm of a count of occurrences of a term t within the data during a time period p. Referring to FIGS. 6A and 6B, an example of determining the first score indicative of the weighted term frequency metric for a time period using Equation (1) is illustrated for application of the data trend analysis system 100 to cyber security. The weighted term frequency metric determination of FIGS. 6A and 6B shows f(t,p) at 150 and 151, for example, for term JAVA at 152, and corresponding periods, for example, at 153, 154, etc. Similar f(t,p) values are shown for other terms such as malware at 155, denial of service at 156, etc. Referring to FIG. 6B, first scores indicative of the weighted term frequency metrics are shown at 160, 161, etc., corresponding respectively to the f(t,p) values at 150, 151, etc.

The scoring module 111 may further determine whether a term is common or rare across all the time periods by determining a second score indicative of a probabilistic inverse period frequency (IPF). Generally, the IPF may be determined by determining a quotient value that represents a probability by dividing a count of occurrences of a term across all the time periods by a count of occurrences of all terms across all the time periods, and determining a logarithm of an inverse of the quotient value. For example, the IPF may be determined as follows:

P ( t ) = Σ f ( t , p ) : p P Σ f ( t , p ) : { p P : t T } Equation ( 2 ) ipf ( t ) = log 10 1 P ( t ) Equation ( 3 )
For Equation (2), P may be used to designate a total number of time periods, and {pεP:tεT} may be used to designate all time periods and all terms. Referring to FIG. 6C, an example of IPF determination using Equations (2) and (3) is illustrated for application of the data trend analysis system 100 to cyber security. The IPF determination of FIG. 6C shows ipf(t) for example, at 170, 171, etc. corresponding to the weighted term frequency metric determination of FIGS. 6A and 6B.

The scoring module 111 may further determine top terms by calculating a third score indicative of a trending metric (i.e., TF-IPF). For example, the scoring module 111 may determine TF-IPF as follows:
tfipf(t,p)=tf(t,p)*ipf(t)  Equation (4)
Referring to FIG. 6D, an example of TF-IPF determination using Equation (4) is illustrated for application of the data trend analysis system 100 to cyber security. The TF-IPF determination of FIG. 6D shows tfipf(t,p) for example, at 180, 181, etc., corresponding to the tf(t,p) determination of FIGS. 6A and 6B, and the ipf(t) determination of FIG. 6C. The TF-IPF determination for each of the terms for the term occurrences 108 may be stored as the trends 112 in the database 107.

The trend determination module 113 may filter and prioritize the trends 112 in the content of the data sources 102, 104, and 105 based on user preferences and community feedback received, for example, via the user interface 114. For example, the trend determination module 113 may receive user preferences and community feedback such as likes, dislikes, favorites, blocked terms, etc. The trend determination module 113 may apply weighting to the TF-IPF determination to incorporate such user preferences and community feedback. For example, referring to FIG. 5, the trend determination module 113 may calculate a like multiplier at 190, a dislike multiplier at 191, and a net like multiplier at 192 that accounts for the like multiplier at 190 and the dislike multiplier at 191. The net like multiplier at 192 may be applied to the TF-IPF determination by the scoring module 111 to generate an adjusted TF-IPF value at 193. The user interface 114 may be used to further display the trends 112 in the content of the data sources 102, 104, and 105 to one or more users (not shown) of the data trend analysis system 100. For example, the user interface 114 may be used to display the trends 112 in descending order based on the corresponding adjusted TF-IPF values. For example, referring to FIG. 7, the user interface 114 may display the trends 112 in descending order based on the corresponding adjusted TF-IPF values. For example, the trends 112 may be displayed based on user preferences received via the user interface 114. A user may further select terms, for example, at 200 and additional details related to the terms may be displayed at 201, 202.

FIG. 8 illustrates a flowchart 300 of an application of the data trend analysis system to threat trend analysis, according to an example of the present disclosure. FIGS. 9 and 10 respectively illustrate flowcharts of methods 400 and 500 for data trend analysis and forecasting cyber security threat risks, according to examples. The methods 300, 400, and 500 may be implemented on the data trend analysis system 100 described above with reference to FIGS. 1-7 by way of example and not limitation. The methods 300, 400, and 500 may be practiced in other systems.

Referring to FIG. 8, for the flowchart 300 of an application of the data trend analysis system to threat trend analysis, at block 301, the data trend analysis system 100 may retrieve and parse threat information from a structured data source. For example, referring to FIG. 1, the information parsing module 101 may retrieve and parse structured threat information from the structured data source 102.

At block 302, the data trend analysis system 100 may retrieve, identify, and extract threat information from unstructured and semi-structured data sources. For example, referring to FIG. 1, the information extraction module 103 may retrieve threat information from unstructured and semi-structured data sources 104, 105, respectively, and identify and extract terms (i.e., threat information) from the unstructured and semi-structured data sources 104, 105.

At block 303, term occurrences may be stored in a data store. For example, referring to FIG. 1, the structured data retrieved from the structured data source 102 and parsed by the information parsing module 101 may be stored as term occurrences 108 in the database 107. Further, occurrences of terms from the predetermined list of terms 106 in the data from the unstructured and semi-structured data sources 104, 105 may also be stored as term occurrences 108 in the database 107.

At block 304, threat, organization, and technology ontologies may be created and/or modified based on co-occurrence in content of the data of the data sources 102, 104, and 105. For example, referring to FIG. 1, the ontology creation module 109 may create one or more ontologies 110 (e.g., threat, organization, and technology ontologies), or modify existing ontologies 110, based on co-occurrence of terms and concepts. For example, the ontology creation module 109 may provide for improvement of the predetermined list of terms 106 by using LSA to determine relationships between terms and concepts, and adding the terms and concepts to the ontologies 110 if the co-occurrence of a term and a concept pair reaches a predetermined threshold.

At block 305, the ontologies created at block 304 may be saved in the data store. For example, referring to FIG. 1, the threat, organization, and technology ontologies may be stored in the database 107 as the ontologies 110.

At block 306, ontology factored threats may be scored based on historical trends. For example, referring to FIG. 1, the scoring module 111 may use the term occurrences 108 and the ontologies 110 to determine trends in the content of the data sources 102, 104, and 105. The ontologies 110 may be used, for example, to determine relationships between the term occurrences 108.

At block 307, threat trends may be filtered and prioritized based on user preferences and community feedback. For example, referring to FIG. 1, the trend determination module 113 may filter and prioritize the trends 112 in the content of the data sources 102, 104, and 105 based on user preferences and community feedback received, for example, via the user interface 114.

At block 308, threat trends may be displayed to users of the data trend analysis system 100. For example, referring to FIG. 1, the user interface 114 may be used to display the trends 112 (i.e., or the trends 112 based on the adjusted TF-IPF values) in the content of the data sources 102, 104, and 105 to one or more users of the data trend analysis system 100.

At block 309, the data trend analysis system 100 may collect community feedback. For example, referring to FIG. 1, the user interface 114 may be used to collect community feedback.

At block 310, the community feedback collected at block 309 may be stored. For example, referring to FIG. 1, community feedback may be stored in the database 107 as shown at 115.

At block 311, the data trend analysis system 100 may collect user preferences. For example, referring to FIG. 1, the user interface 114 may be used to collect user preferences.

At block 312, the user preferences collected at block 311 may be stored. For example, referring to FIG. 1, user preferences may be stored in the database 107 as shown at 115.

Referring to FIG. 9, for the method 400 for data trend analysis, at block 401, data may be retrieved from one or more data sources. For example, referring to FIG. 1, the information parsing module 101 may retrieve and parse structured data from the structured data source 102. Further, the information extraction module 103 may retrieve data from unstructured and semi-structured data sources 104, 105, respectively, and identify and extract terms from the unstructured and semi-structured data sources 104, 105.

At block 402, the data may be associated with a time. For example, referring to FIG. 1, the structured, unstructured and semi-structured data may be stored in the database 107 and associated with a time of retrieval or a time of data creation as specified in a data source.

At block 403, co-occurrences of terms and concepts within the data may be identified. For example, referring to FIG. 1, the ontology creation module 109 may identify co-occurrence of terms and concepts within the data of the data sources 102, 104, and 105.

At block 404, in response to determining that co-occurrences of term and concept pairs reach a predefined threshold, term and concept pairs may be added to an ontology. For example, referring to FIG. 1, the ontology creation module 109 may create one or more ontologies 110 based on co-occurrence of term and concept pairs reaching a predefined threshold.

At block 405, occurrences of terms in the ontology within the data may be logged with respect to associated data times. For example, referring to FIG. 1, the ontology creation module 109 may log occurrences of terms in the ontologies 110 within the data with respect to associated data times.

At block 406, a plurality of time periods may be identified. For example, referring to FIG. 1, the scoring module 111 may identify a plurality of time periods. The time periods may be automatically determined based, for example, on all available time periods associated with retrieval of the structured, unstructured, and semi-structured data, or based on user preferences for evaluation of the structured, unstructured, and semi-structured data within a range of a plurality of time periods.

At block 407, for one of the plurality of time periods and for the logged terms, a first score indicative of a weighted term frequency metric for a logged term within the data during the one time period may be determined. For example, referring to FIG. 1, the scoring module 111 may determine a first score (e.g., using Equation (1)) indicative of a weighted term frequency metric for a logged term within the data during the one time period. For example, the first score may be determined by determining a logarithm of a count of occurrences of the logged term within the data during the one time period.

At block 408, a second score indicative of a commonality of a presence of the logged term within the data among the plurality of time periods may be determined. For example, referring to FIG. 1, the scoring module 111 may determine a second score (e.g., using Equations (2) and (3)) indicative of a commonality of a presence of the logged term within the data among the plurality of time periods.

Referring to FIG. 10, for the method 500 for forecasting cyber security threat risks, at block 501, cyber security threat information may be retrieved from structured data sources. For example, referring to FIG. 1, the information parsing module 101 may retrieve and parse cyber security threat information from the structured data source 102.

At block 502, cyber security threat related information may be retrieved from semi-structured and un-structured data sources. For example, referring to FIG. 1, the information extraction module 103 may retrieve cyber security threat related information from unstructured and semi-structured data sources 104, 105, respectively.

At block 503, additional cyber security threat information may be extracted from the retrieved cyber security threat related information. For example, referring to FIG. 1, the information extraction module 103 may identify and extract additional cyber security threat information from the unstructured and semi-structured data sources 104, 105. The additional cyber security threat information may be identified and extracted based on the predetermined list of terms 106.

At block 504, co-occurrences of threat-related terms and threat-related concepts within the cyber security threat information and the additional cyber security threat information may be identified. For example, referring to FIG. 1, the ontology creation module 109 may identify co-occurrence of threat-related terms and threat-related concepts within the cyber security threat information and the additional cyber security threat information. For example, the ontology creation module 109 may use LSA to identify co-occurrence of threat-related terms and threat-related concepts within the cyber security threat information and the additional cyber security threat information.

At block 505, in response to determining that co-occurrences of threat-related term and threat-related concept pairs reach a predefined threshold, the term and concept pairs may be added to an ontology. For example, referring to FIG. 1, the ontology creation module 109 may create one or more ontologies 110 based on co-occurrence of threat-related term and threat-related concept pairs reaching a predefined threshold.

At block 506, occurrences of terms in the ontology within the cyber security threat information or the cyber security threat related information or both may be logged with respect to time. For example, referring to FIG. 1, the ontology creation module 109 may log occurrences of terms in the ontologies 110 within the cyber security threat information or the cyber security threat related information or both with respect to time.

At block 507, a plurality of time periods may be identified. For example, referring to FIG. 1, the scoring module 111 may identify a plurality of time periods. The time periods may be automatically determined based, for example, on all available time periods associated with retrieval of the structured, unstructured and semi-structured data, or based on user preferences for evaluation of the structured, unstructured and semi-structured data within a range of a plurality of time periods.

At block 508, for one of the plurality of time periods and for the logged terms, a first score indicative of a weighted term frequency metric for the logged term during the one time period may be determined. For example, referring to FIG. 1, the scoring module 111 may determine a first score (e.g., using Equation (1)) indicative of a weighted term frequency metric for a logged term within the data during the one time period. For example, the first score may be determined by determining a logarithm of a count of occurrences of the logged term within the data during the one time period.

At block 509, a second score indicative of a commonality of a presence of the logged term among the plurality of time periods may be determined. For example, referring to FIG. 1, the scoring module 111 may determine a second score (e.g., using Equations (2) and (3)) indicative of a commonality of a presence of the logged term within the data among the plurality of time periods.

FIG. 11 shows a computer system 600 that may be used with the examples described herein. The computer system 600 represents a generic platform that includes components that may be in a server or another computer system. The computer system 600 may be used as a platform for the system 100. The computer system 600 may execute, by a processor or other hardware processing circuit, the methods, functions and other processes described herein. These methods, functions and other processes may be embodied as machine readable instructions stored on computer readable medium, which may be non-transitory, such as hardware storage devices (e.g., RAM (random access memory), ROM (read only memory), EPROM (erasable, programmable ROM), EEPROM (electrically erasable, programmable ROM), hard drives, and flash memory).

The computer system 600 includes a processor 602 that may implement or execute machine readable instructions performing some or all of the methods, functions and other processes described herein. Commands and data from the processor 602 are communicated over a communication bus 604. The computer system 600 also includes a main memory 606, such as a random access memory (RAM), where the machine readable instructions and data for the processor 602 may reside during runtime, and a secondary data storage 608, which may be non-volatile and stores machine readable instructions and data. The memory and data storage are examples of computer readable mediums. The memory 606 may include a data trend analysis module 620 including machine readable instructions residing in the memory 606 during runtime and executed by the processor 602. The module 620 may include the modules of the system 100 described with reference to FIGS. 1-7.

The computer system 600 may include an I/O device 610, such as a keyboard, a mouse, a display, etc. The computer system 600 may include a network interface 612 for connecting to a network. Other known electronic components may be added or substituted in the computer system 600.

What has been described and illustrated herein are examples along with some of their variations. The terms, descriptions and figures used herein are set forth by way of illustration only and are not meant as limitations. Many variations are possible within the spirit and scope of the subject matter, which is intended to be defined by the following claims and their equivalents in which all terms are meant in their broadest reasonable sense unless otherwise indicated.

Claims (20)

What is claimed is:
1. A method for cyber security threat related data trend analysis, the method comprising:
retrieving, over a computer network, cyber security threat related data from at least one data source;
associating the cyber security threat related data with a time;
identifying, by a hardware processor, co-occurrences of terms and concepts within the cyber security threat related data;
in response to determining that co-occurrences of term and concept pairs reach a predefined threshold, adding the term and concept pairs to an ontology;
logging occurrences of terms in the ontology within the cyber security threat related data with respect to associated data times;
identifying a plurality of time periods;
for one of the plurality of time periods and for the logged terms:
determining, by the hardware processor, a first score indicative of a weighted term frequency metric for a logged term within the cyber security threat related data during the one time period by
determining a logarithm of a count of occurrences of the logged term within the cyber security threat related data during the one time period, and
determining, by the hardware processor, a second score indicative of a commonality of a presence of the logged term within the cyber security threat related data among the plurality of time periods;
using the first and second scores to determine a cyber security threat trend;
monitoring the at least one data source or another source related to the at least one data source based on the determined cyber security threat trend; and
generating, based on the monitoring, a report indicative of the cyber security threat trend related to the cyber security threat related data.
2. The method of claim 1, wherein determining the second score further comprises:
determining a quotient value by dividing a count of occurrences of the logged term across the plurality of time periods by a count of occurrences of the logged terms across the plurality of time periods; and
determining a logarithm of an inverse of the quotient value.
3. The method of claim 1, wherein identifying co-occurrences of the terms and the concepts within the cyber security threat related data further comprises:
using Latent Semantic Analysis (LSA) to identify co-occurrences of the terms and the concepts within the cyber security threat related data.
4. The method of claim 1, wherein retrieving the cyber security threat related data from the at least one data source further comprises:
retrieving the cyber security threat related data from at least one of structured, unstructured, and semi-structured data sources;
in response to determining that the at least one data source is the structured data source, parsing the cyber security threat related data for the structured data source; and
in response to determining that the at least one data source is the unstructured or the semi-structured data source, identifying and extracting the terms from the unstructured or the semi-structured data sources.
5. The method of claim 1, further comprising:
determining a third score indicative of the weighted term frequency metric for the logged term during the one time period and the commonality of the presence of the logged term among the plurality of time periods; and
filtering the logged terms based on community feedback by multiplying the third score by a community feedback factor.
6. The method of claim 5, further comprising:
prioritizing the filtered logged terms based on an ascending or a descending order related to the third score.
7. The method of claim 1, wherein the cyber security threat related data is related to cyber security threat information and cyber security threat related information, the method further comprises:
retrieving the cyber security threat related data related to the cyber security threat information from a structured data source of the least one data source;
retrieving the cyber security threat related data related to the cyber security threat related information from semi-structured and un-structured data sources of the least one data source;
extracting additional cyber security threat information from the retrieved cyber security threat related information; and
identifying co-occurrences of the terms and the concepts within the cyber security threat related data by identifying co-occurrences of threat-related terms and threat-related concepts within the cyber security threat information and the additional cyber security threat information.
8. A cyber security threat related data trend analysis system comprising:
at least one hardware processor; and
a memory storing machine readable instructions that when executed by the at least one hardware processor cause the at least one hardware processor to:
retrieve, over a computer network, cyber security threat information from structured data sources;
retrieve, over the computer network, cyber security threat related information from semi-structured and un-structured data sources;
extract additional cyber security threat information from the retrieved cyber security threat related information;
identify co-occurrences of threat-related terms and threat-related concepts within the cyber security threat information and the additional cyber security threat information;
in response to determining that co-occurrences of threat-related term and threat-related concept pairs reach a predefined threshold, add the term and concept pairs to an ontology;
log occurrences of terms in the ontology within the cyber security threat information or the cyber security threat related information or both with respect to time;
identify a plurality of time periods;
for one of the plurality of time periods and for the logged terms:
determine a first score indicative of a weighted term frequency metric for a logged term during the one time period, and
determine a second score indicative of a commonality of a presence of the logged term among the plurality of time periods;
use the first and second scores to determine a cyber security threat trend;
monitor the structured data sources or the semi-structured and un-structured data sources based on the determined cyber security threat trend;
generate, based on the monitoring, a report indicative of the cyber security threat trend;
determine a third score indicative of the weighted term frequency metric for the logged term during the one time period and the commonality of the presence of the logged term among the plurality of time periods; and
filter the logged terms based on community feedback by multiplying the third score by a community feedback factor.
9. The data trend analysis system of claim 8, wherein the machine readable instructions to determine the second score further comprise machine readable instructions that when executed by the at least one hardware processor further cause the at least one hardware processor to:
determine a quotient value by dividing a count of occurrences of the logged term across the plurality of time periods by a count of occurrences of the logged terms across the plurality of time periods; and
determine a logarithm of an inverse of the quotient value.
10. The data trend analysis system of claim 8, wherein the machine readable instructions to identify co-occurrences of the threat-related terms and the threat-related concepts further comprise machine readable instructions that when executed by the at least one hardware processor further cause the at least one hardware processor to:
using Latent Semantic Analysis (LSA) to identify co-occurrences of the threat-related terms and the threat-related concepts.
11. The data trend analysis system of claim 8, further comprising machine readable instructions that when executed by the at least one hardware processor further cause the at least one hardware processor to:
prioritize the filtered logged terms based on an ascending or a descending order related to the third score.
12. A non-transitory computer readable medium having stored thereon a computer executable program to provide cyber security threat related data trend analysis, the computer executable program when executed causes at least one hardware processor to:
retrieve, over a computer network, cyber security threat related data from at least one data source;
associate the cyber security threat related data with a time;
identify co-occurrences of terms and concepts within the cyber security threat related data;
in response to determining that co-occurrences of term and concept pairs reach a predefined threshold, add the term and concept pairs to an ontology;
log occurrences of terms in the ontology within the cyber security threat related data with respect to associated data times;
identify a plurality of time periods;
for one of the plurality of time periods and for the logged terms:
determine a first score indicative of a weighted term frequency metric for a logged term within the cyber security threat related data during the one time period, and
determine a second score indicative of a commonality of a presence of the logged term within the cyber security threat related data among the plurality of time periods;
use the first and second scores to determine a cyber security threat trend;
monitor the at least one data source or another source related to the at least one data source based on the determined cyber security threat trend;
generate, based on the monitoring, a report indicative of the cyber security threat trend related to the cyber security threat related data;
determine a third score indicative of the weighted term frequency metric for the logged term during the one time period and the commonality of the presence of the logged term among the plurality of time periods;
filter the logged terms based on the third score; and
prioritize the filtered logged terms based on an ascending or a descending order.
13. The non-transitory computer readable medium of claim 12, the computer executable program when executed further causes the at least one hardware processor to:
determine the first score by determining a logarithm of a count of occurrences of the logged term within the cyber security threat related data during the one time period.
14. The non-transitory computer readable medium of claim 12, the computer executable program when executed further causes the at least one hardware processor to:
determine the second score by determining a quotient value by dividing a count of occurrences of the logged term across the plurality of time periods by a count of occurrences of the logged terms across the plurality of time periods, and determining a logarithm of an inverse of the quotient value.
15. The non-transitory computer readable medium of claim 12, wherein the computer executable program to cause the at least one hardware processor to identify co-occurrences of the terms and the concepts within the cyber security threat related data further causes the at least one hardware processor to:
use Latent Semantic Analysis (LSA) to identify co-occurrences of the terms and the concepts within the cyber security threat related data.
16. The non-transitory computer readable medium of claim 12, the computer executable program when executed further causes the at least one hardware processor to:
retrieve the cyber security threat related data from at least one of structured, unstructured, and semi-structured data sources;
in response to determining that the at least one data source is the structured data source, parse the cyber security threat related data for the structured data source; and
in response to determining that the at least one data source is the unstructured or the semi-structured data source, identify and extract the terms from the unstructured or the semi-structured data sources.
17. The non-transitory computer readable medium of claim 12, wherein the computer executable program to cause the at least one hardware processor to filter the logged terms based on the third score further causes the at least one hardware processor to:
filter the logged terms based on community feedback by multiplying the third score by a community feedback factor.
18. The non-transitory computer readable medium of claim 17, wherein the computer executable program to cause the at least one hardware processor to prioritize the filtered logged terms based on the ascending or the descending order further causes the at least one hardware processor to:
prioritize the filtered logged terms based on the ascending or the descending order related to the third score.
19. The non-transitory computer readable medium of claim 12, wherein the at least one data source includes at least one of structured, unstructured, and semi-structured data sources.
20. The non-transitory computer readable medium of claim 12, wherein the cyber security threat related data is related to cyber security threat information and cyber security threat related information, the computer executable program when executed further causes the at least one hardware processor to:
retrieve the cyber security threat related data related to the cyber security threat information from a structured data source of the least one data source;
retrieve the cyber security threat related data related to the cyber security threat related information from semi-structured and un-structured data sources of the least one data source;
extract additional cyber security threat information from the retrieved cyber security threat related information; and
identify co-occurrences of the terms and the concepts within the cyber security threat related data by identifying co-occurrences of threat-related terms and threat-related concepts within the cyber security threat information and the additional cyber security threat information.
US15147471 2013-01-10 2016-05-05 Data trend analysis Active US9531743B2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US201361751252 true 2013-01-10 2013-01-10
US13826965 US9355172B2 (en) 2013-01-10 2013-03-14 Data trend analysis
US15147471 US9531743B2 (en) 2013-01-10 2016-05-05 Data trend analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15147471 US9531743B2 (en) 2013-01-10 2016-05-05 Data trend analysis

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US13826965 Continuation US9355172B2 (en) 2013-01-10 2013-03-14 Data trend analysis

Publications (2)

Publication Number Publication Date
US20160248793A1 true US20160248793A1 (en) 2016-08-25
US9531743B2 true US9531743B2 (en) 2016-12-27

Family

ID=49110965

Family Applications (2)

Application Number Title Priority Date Filing Date
US13826965 Active US9355172B2 (en) 2013-01-10 2013-03-14 Data trend analysis
US15147471 Active US9531743B2 (en) 2013-01-10 2016-05-05 Data trend analysis

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US13826965 Active US9355172B2 (en) 2013-01-10 2013-03-14 Data trend analysis

Country Status (2)

Country Link
US (2) US9355172B2 (en)
EP (1) EP2755146A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140337974A1 (en) * 2013-04-15 2014-11-13 Anupam Joshi System and method for semantic integration of heterogeneous data sources for context aware intrusion detection
US9146980B1 (en) * 2013-06-24 2015-09-29 Google Inc. Temporal content selection
JP5930217B2 (en) * 2013-10-03 2016-06-08 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation Method of detecting expression of a potentially hazardous representation depending on the particular theme, as well as a program for an electronic apparatus and an electronic device for detecting the expression
US20150213462A1 (en) * 2014-01-24 2015-07-30 Go Daddy Operating Company, LLC Highlighting business trends
US10122687B2 (en) 2014-09-14 2018-11-06 Sophos Limited Firewall techniques for colored objects on endpoints
WO2016038397A1 (en) * 2014-09-14 2016-03-17 Sophos Limited Labeling computing objects for improved threat detection
US9922116B2 (en) * 2014-10-31 2018-03-20 Cisco Technology, Inc. Managing big data for services
US10127252B2 (en) * 2015-03-23 2018-11-13 Oracle International Corporation History and scenario data tracking
US20170004180A1 (en) 2015-06-30 2017-01-05 International Business Machines Corporation Navigating a website using visual analytics and a dynamic data source
WO2017027718A1 (en) * 2015-08-12 2017-02-16 Aon Singapore Centre For Innovtion, Strategy And Management Dashboard interface, platform, and environment

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020038430A1 (en) 2000-09-13 2002-03-28 Charles Edwards System and method of data collection, processing, analysis, and annotation for monitoring cyber-threats and the notification thereof to subscribers
US20040236725A1 (en) * 2003-05-19 2004-11-25 Einat Amitay Disambiguation of term occurrences
US20060074632A1 (en) * 2004-09-30 2006-04-06 Nanavati Amit A Ontology-based term disambiguation
US20090048904A1 (en) 2007-08-16 2009-02-19 Christopher Daniel Newton Method and system for determining topical on-line influence of an entity
US20100100537A1 (en) 2008-10-22 2010-04-22 Fwix, Inc. System and method for identifying trends in web feeds collected from various content servers
US7890514B1 (en) 2001-05-07 2011-02-15 Ixreveal, Inc. Concept-based searching of unstructured objects
US8095559B2 (en) 2003-05-15 2012-01-10 Microsoft Corporation Fast adaptive document filtering
US20120096552A1 (en) 2009-07-07 2012-04-19 Electronics And Telecommunications Research Institute System for an engine for forecasting cyber threats and method for forecasting cyber threats using the system
US8166032B2 (en) 2009-04-09 2012-04-24 MarketChorus, Inc. System and method for sentiment-based text classification and relevancy ranking
US8191149B2 (en) 2006-11-13 2012-05-29 Electronics And Telecommunications Research Institute System and method for predicting cyber threat
US8255347B2 (en) 2006-05-31 2012-08-28 Hartford Fire Insurance Company Method and system for classifying documents
US20120221485A1 (en) 2009-12-01 2012-08-30 Leidner Jochen L Methods and systems for risk mining and for generating entity risk profiles
US8266148B2 (en) 2008-10-07 2012-09-11 Aumni Data, Inc. Method and system for business intelligence analytics on unstructured data
US20120239694A1 (en) 2010-03-24 2012-09-20 Taykey Ltd. System and methods for predicting future trends of term taxonomies usage
US20130226865A1 (en) 2011-07-13 2013-08-29 Jean Alexandera Munemann Systems and Methods for an Expert-Informed Information Acquisition Engine Utilizing an Adaptive Torrent-Based Heterogeneous Network Solution
US8527513B2 (en) 2010-08-26 2013-09-03 Lexisnexis, A Division Of Reed Elsevier Inc. Systems and methods for lexicon generation
US8533840B2 (en) * 2003-03-25 2013-09-10 DigitalDoors, Inc. Method and system of quantifying risk
US8862565B1 (en) 2000-05-08 2014-10-14 Google Inc. Techniques for web site integration
US8874558B1 (en) 2012-09-11 2014-10-28 Google Inc. Promoting fresh content for authoritative channels
US9123046B1 (en) 2011-04-29 2015-09-01 Google Inc. Identifying terms

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8862565B1 (en) 2000-05-08 2014-10-14 Google Inc. Techniques for web site integration
US20020038430A1 (en) 2000-09-13 2002-03-28 Charles Edwards System and method of data collection, processing, analysis, and annotation for monitoring cyber-threats and the notification thereof to subscribers
US7890514B1 (en) 2001-05-07 2011-02-15 Ixreveal, Inc. Concept-based searching of unstructured objects
US8533840B2 (en) * 2003-03-25 2013-09-10 DigitalDoors, Inc. Method and system of quantifying risk
US8095559B2 (en) 2003-05-15 2012-01-10 Microsoft Corporation Fast adaptive document filtering
US20040236725A1 (en) * 2003-05-19 2004-11-25 Einat Amitay Disambiguation of term occurrences
US20060074632A1 (en) * 2004-09-30 2006-04-06 Nanavati Amit A Ontology-based term disambiguation
US8738552B2 (en) 2006-05-31 2014-05-27 Hartford Fire Insurance Company Method and system for classifying documents
US8255347B2 (en) 2006-05-31 2012-08-28 Hartford Fire Insurance Company Method and system for classifying documents
US8191149B2 (en) 2006-11-13 2012-05-29 Electronics And Telecommunications Research Institute System and method for predicting cyber threat
US20090048904A1 (en) 2007-08-16 2009-02-19 Christopher Daniel Newton Method and system for determining topical on-line influence of an entity
US8266148B2 (en) 2008-10-07 2012-09-11 Aumni Data, Inc. Method and system for business intelligence analytics on unstructured data
US20100100537A1 (en) 2008-10-22 2010-04-22 Fwix, Inc. System and method for identifying trends in web feeds collected from various content servers
US8166032B2 (en) 2009-04-09 2012-04-24 MarketChorus, Inc. System and method for sentiment-based text classification and relevancy ranking
US20120096552A1 (en) 2009-07-07 2012-04-19 Electronics And Telecommunications Research Institute System for an engine for forecasting cyber threats and method for forecasting cyber threats using the system
US20120221485A1 (en) 2009-12-01 2012-08-30 Leidner Jochen L Methods and systems for risk mining and for generating entity risk profiles
US20120239694A1 (en) 2010-03-24 2012-09-20 Taykey Ltd. System and methods for predicting future trends of term taxonomies usage
US8527513B2 (en) 2010-08-26 2013-09-03 Lexisnexis, A Division Of Reed Elsevier Inc. Systems and methods for lexicon generation
US9123046B1 (en) 2011-04-29 2015-09-01 Google Inc. Identifying terms
US20130226865A1 (en) 2011-07-13 2013-08-29 Jean Alexandera Munemann Systems and Methods for an Expert-Informed Information Acquisition Engine Utilizing an Adaptive Torrent-Based Heterogeneous Network Solution
US8874558B1 (en) 2012-09-11 2014-10-28 Google Inc. Promoting fresh content for authoritative channels

Non-Patent Citations (9)

* Cited by examiner, † Cited by third party
Title
"Search Report on European Patent Application EP 13004241.9", European Patent Office, dated Feb. 4, 2014.
Cimiano, P. et al., "Text2Onto-A Framework for Ontology Learning and Data-driven Change Discovery", NLDB Jun. 2005.
Gloor, P. et al., "Web Science 2.0: Identifying Trends through Semantic Social Network Analysis", Computational Science and Engineering, 2009. CSE '09. International Conf.
Hidenao Abe, et al., "Trend detection from large text data", 2010 IEEE International Conference on Systems Man and Cybernetics (SMC), Oct. 10, 2010, pp. 310-315.
Kim, D.H. et al., "Cyber Threat Trend Analysis Model Using HMM", In proceeding of: Information Assurance and Security, 2007. IAS 2007.
Maynard, D. et al., "NLP Techniques for Term Extraction and Ontology Population", Proceedings of the 2008 conference on Ontology Learning and Population, 2008.
Morris, T.I. et al., "A perceptually-relevant model-based cyber threat prediction method for enterprise mission assurance", CogSIMA 2011 IEEE, Feb. 2011.
Shusaku Tsumoto, et al. "Comparing similarity of concepts identified by temporal patterns of terms in biomedical research documents", 2012 IEEE 11th International Conference on Cognitive Informatics & Cognitive Computing (ICCI*CC 2012), Aug. 22, 2012, pp. 86-93.
Veda, "Social Media Analysis", download date Mar. 14, 2013. http://vedasemantics.com/social-analysis.html.

Also Published As

Publication number Publication date Type
US20160248793A1 (en) 2016-08-25 application
US9355172B2 (en) 2016-05-31 grant
EP2755146A1 (en) 2014-07-16 application
US20140283048A1 (en) 2014-09-18 application

Similar Documents

Publication Publication Date Title
Chen et al. AR-miner: mining informative reviews for developers from mobile app marketplace
US8494897B1 (en) Inferring profiles of network users and the resources they access
US20130326620A1 (en) Investigative and dynamic detection of potential security-threat indicators from events in big data
Pinto et al. Using early view patterns to predict the popularity of youtube videos
Dadvar et al. Improving cyberbullying detection with user context
US20120323627A1 (en) Real-time Monitoring of Public Sentiment
US20090077065A1 (en) Method and system for information searching based on user interest awareness
US20110087678A1 (en) Collaborative filtering engine
US20080201297A1 (en) Method and System for Determining Relation Between Search Terms in the Internet Search System
US20120191757A1 (en) System & Method For Compiling Intellectual Property Asset Data
US8463790B1 (en) Event naming
US20100100537A1 (en) System and method for identifying trends in web feeds collected from various content servers
Liu et al. Modeling and predicting the helpfulness of online reviews
Holton Identifying disgruntled employee systems fraud risk through text mining: A simple solution for a multi-billion dollar problem
Zhang et al. Improving movie gross prediction through news analysis
US20140114962A1 (en) System and Methods to Facilitate Analytics with a Tagged Corpus
US20130124192A1 (en) Alert notifications in an online monitoring system
Hundepool et al. Handbook on statistical disclosure control
Kandias et al. Proactive insider threat detection through social media: The YouTube case
US20110270845A1 (en) Ranking Information Content Based on Performance Data of Prior Users of the Information Content
Ochoa et al. Quality metrics for learning object metadata
US20100268776A1 (en) System and Method for Determining Information Reliability
Brynielsson et al. Harvesting and analysis of weak signals for detecting lone wolf terrorists
Muller Lurking as personal trait or situational disposition: lurking and contributing in enterprise social media
US20120330968A1 (en) System and method for matching comment data to text data

Legal Events

Date Code Title Description
AS Assignment

Owner name: ACCENTURE GLOBAL SERVICES LIMITED, IRELAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HOWES, JOSHUA Z.;SOLDERITSCH, JAMES;LASALLE, RYAN M.;ANDOTHERS;SIGNING DATES FROM 20130313 TO 20130318;REEL/FRAME:038514/0809